FIM - Codeless

Report
Kent Nordström
Blog:
Twitter:
http://konab.com
http://twitter.com/kentnordstrom
© 2014 XP Services AB. All rights reserved.
Kent Nordström
http://xpservices.se
Topic
FIM 2010 R2
codeless
(or less-code)
deployments
© 2014 XP Services AB. All rights reserved.
Kent Nordström
http://xpservices.se
FIM 2010 R2 Handbook
© 2014 XP Services AB. All rights reserved.
Kent Nordström
http://xpservices.se
History
MIIS/ILM
“All” logic built using Visual Studio
Case "user:description"
Dim description As String = String.Empty
If mventry("inetUserStatus").IsPresent Then
description = mventry("inetUserStatus").Value
Else
description = "missing"
End If
FIM 2010
Declarative Synchronization Rules
Declarative Provisioning
IIF(companyActive,
IIF(IsPresent(companyUAC),BitAnd(9223372036854775805,companyUAC),512),
IIF(IsPresent(companyUAC),BitOr(2,companyUAC),514))  userAccountControl
© 2014 XP Services AB. All rights reserved.
Kent Nordström
http://xpservices.se
Synchronization Rules
“Kent’s Best Practices”
• NO ERE’s and DRE’s
• Multiple Outbound rules to avoid complex IIF logic
• Rule 1: Common user attributes
• Rule 2: Provisioning Employee
• Rule 3: Provisioning Students
© 2014 XP Services AB. All rights reserved.
Kent Nordström
http://xpservices.se
Synchronization Rules – cont.
“Kent’s Best Practices”
• CustomExpression rather than UI function builder
• RulesExtensions
• Shared DLL: CompanyRulesExtension.dll
Flow rule name: MA:ObjectType:TargetAttribute
• Type conversions
DateTime dtFileTime = DateTime.FromFileTime(csentry["lastLogonTimestamp"].IntegerValue);
mventry["companyLastLogon"].Value = dtFileTime.ToUniversalTime().ToString("yyyy'-'MM'-'dd'T'HH':'mm':'ss'.000'");
• MultiValue attributes
if (csentry["proxyAddresses"].IsPresent)
{if(csentry["proxyAddresses"].Values.Contains("SMTP:" + mventry["email"].Value.ToLower()))
{break;}
}else
{csentry["proxyAddresses"].Values.Add("SMTP:" + mventry["email"].Value.ToLower());}
© 2014 XP Services AB. All rights reserved.
Kent Nordström
http://xpservices.se
Boolean flags
MA1: Inbound
InMA1 = true
AllObjects MA : Inbound
InMA1 = false
Synchronization Rule
IIF(InMA1),…
Scoping Filter
InMA1 equal true
© 2014 XP Services AB. All rights reserved.
Kent Nordström
http://xpservices.se
References!
• Extend FIM schema to handle Organizational tree
• Modify connected systems to get References
• Take a turn through SQL to enhance References
• PowerShell MA gives extended possibilities
© 2014 XP Services AB. All rights reserved.
Kent Nordström
http://xpservices.se
Update using Reference
© 2014 XP Services AB. All rights reserved.
Kent Nordström
http://xpservices.se
Update using Reference
Lookup
IIF([//Target/Org/OrgLevel] -eq 3),[//Target/Org/DisplayName],
IIF([//Target/Org/OrgLevel] -eq 4),[//Target/Org/Org/DisplayName],
IIF([//Target/Org/OrgLevel] -eq 5),[//Target/Org/Org/Org/DisplayName],
IIF([//Target/Org/OrgLevel] -eq 6),[//Target/Org/Org/Org/Org/DisplayName],
[//Target/Org/Org/Org/Org/Org/DisplayName]))))
Target
[//Target/Company]
© 2014 XP Services AB. All rights reserved.
Kent Nordström
http://xpservices.se
Watch out for locks!
Serialize Activities – Not Parallel!
MPR1: OrgUnit changed
-> WF1:
Activity 1: Update Department
Activity 2: Update Company - LOCK
MPR2: Department changed
-> WF2:
Activity 1: Update “some attribute” – LOCK
Activity 2: Notify new manager – OK
© 2014 XP Services AB. All rights reserved.
Kent Nordström
http://xpservices.se
Watch out for locks!
Serialize Activities – Not Parallel!
MPR1: OrgUnit changed
-> WF1:
Activity 1: Update Department
Activity 2: Update Company
Add-> Activity 3: Update “some attribute”
MPR2: Department changed
-> WF2:
Del-> Activity 1: Update “some attribute”
Activity 2: Notify new manager
© 2014 XP Services AB. All rights reserved.
Kent Nordström
http://xpservices.se
New User Example
© 2014 XP Services AB. All rights reserved.
Kent Nordström
http://xpservices.se
Use SQL intelligence
create view [dbo].[vOrgTree] as
/*
Level describes level in org tree where 1 is the top level.
Writer: Marcus Olsson, XP Services AB, 2013
*/
with OrgTree as (
-- Anchor (get top level i tree)
select ObjectID, cast(null as varchar(50)) as Org , DisplayName, 1 as [Level]
from OrgObjekt as o
where ObjectType='O' and not exists(select * from Relations where ObjectType='O' and Kpl=2 and
ObjectID=o.ObjectID)
union all
-- Underlying structure
select o.ObjectID, r.KplID, o.DisplayName, [Level] + 1
from OrgTree as ot -- This CTE (to create an iteration)
inner join Relations as r -- Relations
on ot.ObjectID=r.KplID and kpl=2 -- Find Orgs that has this as its parent
inner join OrgObjekt as o -- Info on underlying orgs
on r.ObjectID=o.ObjectID -- Connect "child" to tabel
)
select
ot.ObjectID
,'Organisation' as ObjectType
,Org
,DisplayName as Title
,[Level]
from OrgTree as ot
left join Relationer as r
on ot.ObjectID=r.KplID and r.Kpl=12
© 2014 XP Services AB. All rights reserved.
Kent Nordström
http://xpservices.se
SQL and PS MA – NOT XMA
File
Export
HR
Person
Org
Get
Files
Bulk
Insert
PS MA
FIM
Person
Org
SQL
Logic
SQL
Import
FIMObjects
FIMMVData
© 2014 XP Services AB. All rights reserved.
Kent Nordström
http://xpservices.se
What about Deprovisioning?
“Kent’s Best Practices”
• READ Carols great article:
http://aka.ms/fimdeprovisioning
• NO MV Object Deletions!
Once created in MV/FIM Service it stays
for traceability reasons
• Repopulate join attributes
using FIM Service MA or other side-meta
• Deprovision using Rules Extension
© 2014 XP Services AB. All rights reserved.
Kent Nordström
http://xpservices.se
Summary
“Kent’s Best Practices”
• Simple logic
• Synchronization Rule
• Complex logic
• WorkFlow activity
• Performance
• SQL
© 2014 XP Services AB. All rights reserved.
Kent Nordström
http://xpservices.se

similar documents